From f2944161083cf080b6300345f64e31ab31c695c2 Mon Sep 17 00:00:00 2001
From: Luiz Carvalho <lucarval@redhat.com>
Date: Thu, 21 Nov 2024 14:44:51 -0500
Subject: [PATCH] Emit term for base_image_permitted

This commit changes the policy rule
`base_image_registries.base_image_permitted` so it includes a term in
its result. The term is the repository portion of the base image
reference - everything but the tag and digest.

This allows users to allow certain base image registries as an
exception, especially if time bound, e.g.:

```yaml
volatileConfig:
  exclude:
    - value: 'base_image_registries.base_image_permitted:my-shady-registry.io/foo/bar'
      effectiveUntil: '2024-12-01T00:00:00Z'
```

Ref: EC-649

Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
---
 antora/docs/modules/ROOT/pages/release_policy.adoc           | 4 ++--
 .../release/base_image_registries/base_image_registries.rego | 3 ++-
 .../base_image_registries/base_image_registries_test.rego    | 5 +++++
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/antora/docs/modules/ROOT/pages/release_policy.adoc b/antora/docs/modules/ROOT/pages/release_policy.adoc
index f822dac4..f6f993ff 100644
--- a/antora/docs/modules/ROOT/pages/release_policy.adoc
+++ b/antora/docs/modules/ROOT/pages/release_policy.adoc
@@ -311,7 +311,7 @@ Confirm the `allowed_registry_prefixes` rule data was provided, since it's requi
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `%s`
 * Code: `base_image_registries.allowed_registries_provided`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/base_image_registries/base_image_registries.rego#L77[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/base_image_registries/base_image_registries.rego#L78[Source, window="_blank"]
 
 [#base_image_registries__base_image_permitted]
 === link:#base_image_registries__base_image_permitted[Base image comes from permitted registry]
@@ -335,7 +335,7 @@ Verify the expected information was provided about which base images were used d
 * Rule type: [rule-type-indicator failure]#FAILURE#
 * FAILURE message: `Base images information is missing`
 * Code: `base_image_registries.base_image_info_found`
-* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/base_image_registries/base_image_registries.rego#L47[Source, window="_blank"]
+* https://github.com/enterprise-contract/ec-policies/blob/{page-origin-refhash}/policy/release/base_image_registries/base_image_registries.rego#L48[Source, window="_blank"]
 
 [#buildah_build_task_package]
 == link:#buildah_build_task_package[Buildah build task]
diff --git a/policy/release/base_image_registries/base_image_registries.rego b/policy/release/base_image_registries/base_image_registries.rego
index fbb31cdc..e27428c8 100644
--- a/policy/release/base_image_registries/base_image_registries.rego
+++ b/policy/release/base_image_registries/base_image_registries.rego
@@ -41,7 +41,8 @@ import data.lib.sbom
 deny contains result if {
 	some image_ref in _base_images
 	not _image_ref_permitted(image_ref)
-	result := lib.result_helper(rego.metadata.chain(), [image_ref])
+	repo := image.parse(image_ref).repo
+	result := lib.result_helper_with_term(rego.metadata.chain(), [image_ref], repo)
 }
 
 # METADATA
diff --git a/policy/release/base_image_registries/base_image_registries_test.rego b/policy/release/base_image_registries/base_image_registries_test.rego
index 29641cc6..1d0ff8c2 100644
--- a/policy/release/base_image_registries/base_image_registries_test.rego
+++ b/policy/release/base_image_registries/base_image_registries_test.rego
@@ -94,14 +94,17 @@ test_disallowed_base_images if {
 		{
 			"code": "base_image_registries.base_image_permitted",
 			"msg": "Base image \"registry.redhat.yo/ubi7/3\" is from a disallowed registry",
+			"term": "registry.redhat.yo/ubi7/3",
 		},
 		{
 			"code": "base_image_registries.base_image_permitted",
 			"msg": "Base image \"registry.redhat.ioo/spam/3\" is from a disallowed registry",
+			"term": "registry.redhat.ioo/spam/3",
 		},
 		{
 			"code": "base_image_registries.base_image_permitted",
 			"msg": "Base image \"dockery.io/busybox/3\" is from a disallowed registry",
+			"term": "dockery.io/busybox/3",
 		},
 	}
 	lib.assert_equal_results(base_image_registries.deny, expected) with lib.sbom.cyclonedx_sboms as sboms
@@ -136,10 +139,12 @@ test_disallowed_base_images_with_snapshot if {
 		{
 			"code": "base_image_registries.base_image_permitted",
 			"msg": "Base image \"docker.io/library/registry:latest@sha256:bcd\" is from a disallowed registry",
+			"term": "docker.io/library/registry",
 		},
 		{
 			"code": "base_image_registries.base_image_permitted",
 			"msg": "Base image \"registry.redhat.io/ubi7:latest@sha256:abc\" is from a disallowed registry",
+			"term": "registry.redhat.io/ubi7",
 		},
 	}